PfSense + ESXi + SG 300 - Architecting Question

I'm having a bit of trouble wrapping my head around how to change my architectures (introducing pfSense) with maintaining the same functionality. Any help would be greatly appreciated. My current setup, illustrated with setup1 picture below.

DSL Modem in Bridge Mode

Asus Wifi/Router terminates that connection and acts as the NAT

Asus Router is connected to VLAN1 of the SG300 which is in trunk mode (this gives all my vlans internet access)

Servers and ESXi in VLAN 20

NAS in VLAN30

What I want to do is get rid of using the ASUS device for routing and replace that with pfSense. Here's where I'm running into issues (thinking about it). pFsense will be on ESXi01 which also houses all of the VLAN20 virtual machines. ESXi01 has 6 physical NICS that I can leverage. The question I have is, do I connect the modem directly the ESXi box (would be considered WAN port) and then have another NIC associated with pfSense connected back to the switch (VLAN 1) that was previously used with the ASUS router? Picture desiredsetup is what it looks like.

I have esxi6 running pfsense plus other vms on different vlans and and sg300 (sweet little switch for the price)

I have 4 interfaces on my esxi box.

1 is connected to wan vswitch - this is directly connected to my cable modem sb6120
2 is connected to lan vswitch - this is connect to my sg300 access port
3 is connected to wlan vswitch that is set 4095 (all vlans - trunk) this connection to sg300 trunk.

Pfsense interface in this vswitch has some vlans on it for guest wireless, my ps3 network, etc.

4 interface in esxi I use for vmkern and management - this is on the lan network.

I can post up some drawings of this, but I am on my way out. I also have another switch that is connected via trunk to sg300 so I can put stuff on the wlan and lan network on that switch. I only have the sg300-10

I'm having a bit of trouble wrapping my head around how to change my architectures (introducing pfSense) with maintaining the same functionality. Any help would be greatly appreciated. My current setup, illustrated with setup1 picture below.

DSL Modem in Bridge Mode

Asus Wifi/Router terminates that connection and acts as the NAT

Asus Router is connected to VLAN1 of the SG300 which is in trunk mode (this gives all my vlans internet access)

Servers and ESXi in VLAN 20

NAS in VLAN30

What I want to do is get rid of using the ASUS device for routing and replace that with pfSense. Here's where I'm running into issues (thinking about it). pFsense will be on ESXi01 which also houses all of the VLAN20 virtual machines. ESXi01 has 6 physical NICS that I can leverage. The question I have is, do I connect the modem directly the ESXi box (would be considered WAN port) and then have another NIC associated with pfSense connected back to the switch (VLAN 1) that was previously used with the ASUS router? Picture desiredsetup is what it looks like.

Cheers,
Brad

Depends on a couple of things. Number of hosts you are using on the SG300 for one. SG300 is a layer 3 switch (but limited TCAM space, so you can only do hardware routing of ~500 entries, (may have to check for the -10 model, it might be less). I usually configure switches as layer 3 and put a separate VLAN between the firewall and switch on the inside, and add routes to the other subnets on the pfsense box. I normally also put the Internet hand-off in another VLAN that doesn't have an IP address (strictly layer 2 VLAN, not an SVI), so I can collect statistics on the switchport. That may not work in your instance, I believe PPPoE is layer 2 at some level, and you may need to connect your bridge-mode DSL modem directly to your ESXi hosts NIC. Again, I do it with VLANs in my scenarios, but you could create a separate vSwitch, assign one of your physical NICs to it, connect your DSL modem to the interface, and then add a virtual NIC to your pfsense VM attached to that vSwitch. If you use your existing proposal, and keep the SG300 in layer 2 mode, you will need to create VLAN interfaces on the "inside" interface of your pfsense VM to match your existing trunk configuration on your switch, and it needs to have the IP address that the ASUS router has in each VLAN currently to make the transition seamless (no changes needed to existing devices). If you are within TCAM budget of your switch, I would place it in layer 3 mode, and assign each VLAN the IP address currently on the ASUS, and then the extra VLAN/Subnet between the switch and firewall, default route on the switch pointing to the firewall internal IP address. Much cleaner design unless you need actual firewall functionality between VLANs. Please also note, switching an SG300 between layer 2 and layer 3 mode causes an instant reboot and total reset to factory of the device (TCAM re-programming).